Decision 202/2006 Mr Angus Macdonald and Greater Glasgow NHS Board
Audit information gathered by a managed clinical network – personal data relating to third parties – section 38(1)(b) – actionable breach of confidence – section 36(2) – free and frank exchange – sections 30(b)(i) and (ii) – section 30(c) – prejudice to the effective conduct of public affairs –consideration of the public interest – timescales for responding to requests and review – sections 10(1) and 21(1) – conduct of review
Audit data gathered by the West of Scotland Managed Clinical Network for Colorectal Cancer
Applicant: Mr Angus Macdonald
Authority: Greater Glasgow NHS Board
Case Nos: 200502624 & 200600092
Decision Date: 13 November 2006
Kevin Dunion
Scottish Information Commissioner
Facts
Mr Macdonald made two separate but overlapping requests for audit data gathered by the West of Scotland Managed Clinical Network for Colorectal Cancer (the MCN). This information is held by Greater Glasgow NHS Board (the Board) for the purposes of the Freedom of Information (Scotland) Act 2002 (FOISA). The Board refused to provide most of the information requested by Mr Macdonald on the grounds that it was exempt from release under sections 30, 36 and 38 of FOISA.
Having first sought internal reviews of the handling of these requests, Mr Macdonald made two separate applications for decision by me in relation to the handling of his requests by the Board. These applications were conjoined for the purposes of investigation and this decision.
Outcome
The Commissioner found that the Board had acted in accordance with Part 1 of FOISA in withholding the audit data. He concluded that this was exempt from release under sections 36(2) and 30(c) of FOSIA, and that the public interest in maintaining the exemption in section 30(c) outweighed that in disclosure.
The Commissioner found that the Board had acted in breach of section 10(1) and 21(1) of FOISA by failing to supply its responses to Mr Macdonald’s requests, and to his second request for a review, within the required 20 working day timescales.
The Commissioner did not require any steps to be taken by the Board in response to these technical breaches.
Appeal
Should either Mr Macdonald or the Board wish to appeal against this decision, there is an appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days of receipt of this notice.
Background
1. This decision is concerned with two separate but overlapping requests for information made by Mr Macdonald. I will refer to these as the first and second requests respectively below.
The first request
2. On 15 March 2005, Mr Macdonald wrote separately but in identical terms to two employees of Greater Glasgow NHS Board (the Board). These letters contained requests under the terms of the Freedom of Information (Scotland) Act 2002 (FOISA) for access to data gathered by the West of Scotland Managed Clinical Network for Colorectal Cancer (the MCN) from Ross Hall Hospital over the period 2001 – 2003.
3. The MCN is a “virtual” organisation that brings together clinicians across a number of NHS Boards in the West of Scotland to support colorectal cancer services across this area. One of the functions of this network is to facilitate comparative audit of performance, providing feedback to clinicians and managers on the performance of individual clinical units and regional performance. Summary findings of this audit are set out in the MCN’s annual report. Ross Hall Hospital is a private healthcare provider in Glasgow which participates in the MCN and its audit process.
4. The Board is the host organisation for the MCN, and holds the information gathered by it for the purpose of FOISA. Mr Macdonald requested the following:
a) A summary of the data from Ross Hall Hospital which went into the MCN report for years 2001 and 2002.
b) A copy of the database used to generate the summaries for Ross Hall Hospital for these years. The request specified further that the database should contain information on the type of operation, operation code, diagnostic code and site of tumour.
c) A copy of the original audit forms for years 2001, 2002 and 2003.
d) A copy of the pathology report files for years 2001, 2002 and 2003.
5. Mr Macdonald’s request specified the format in which he wanted the information to be supplied. This was an Access database on disc for (b), and A4 copies of
(a), [a further copy of] (b), (c), and (d). The request also indicated that patients’ names, addresses and dates of birth should be removed from (b), (c) and (d), although their unit numbers should be retained in (b). Mr Macdonald specified finally that the names of operating surgeons should be retained in (b), (c) and (d).
6. A letter from the Board dated 5 April 2005 acknowledged Mr Macdonald’s request and confirmed that it was being handled under procedures for responding to requests for information under FOISA. This letter indicated that a response would be supplied within 20 working days or less. In subsequent correspondence, Mr Macdonald was informed that a response should be issued no later than 14 April 2006.
7. In further communications, the Board advised Mr Macdonald that the timescale for responding to the request would not be met, and sought an extension of the period in which a response would be supplied. Mr Macdonald confirmed that he would accept such an extension of the timescale on 20 April 2005.
8. A refusal notice was issued by the Board on 22 April 2006. This confirmed that the information Mr Macdonald had requested was held by the Board, but stated that it was considered exempt under the terms of section 36 of FOISA. The refusal notice stated that the Board had consulted with Ross Hall Hospital, which had reminded it that the information requested was provided on a confidential basis, and that disclosure would constitute a breach of that agreement.
9. Mr Macdonald wrote again to the Board on 1 June 2006, requesting a review of the handling of his request.
10. A response was supplied on 30 June 2005 following a review conducted by a non-executive member of the Board. This upheld the Board’s initial reliance upon the exemption in section 36(2) of FOISA when refusing Mr Macdonald’s request. However, it highlighted a number of issues in the initial handling of the request. These were:
a) The failure to respond to the request within the 20 working day timescale. An unreserved apology was offered for this failure.
b) The reviewer saw no rationale for reliance upon the exemption in section 36(1) of FOISA.
c) The refusal notice failed to fully comply with the requirements of section 16 of FOISA by failing to explain why the exemption in section 36(2) applied. Again, the Board apologised for this oversight and offered a more detailed explanation for the application of the appropriate exemption.
d) The review concluded that the exemption in section 38(1)(b) (which, read in conjunction with section 38(2)(a)(i), applies where the information sought is personal data for the purposes of the Data Protection Act 1998 (DPA), and disclosure of the information to a member of the public otherwise than under FOISA would breach any of the data protection principles) should also have been relied upon in relation to the information withheld.
11. A further series of correspondence between Mr Macdonald and the Board followed the outcome of the review. In these letters, Mr Macdonald challenged the findings of the review, and sought a further internal review by the Board. The Board responded in some detail to the points raised by Mr Macdonald, but in a final letter dated 19 August 2005 reiterated that he had a right to make an application to me on this matter, but not to request a further internal review.
12. Mr Macdonald then made an application for a decision by me in relation to this request in a letter dated 15 September 2005, which was received by my Office on 19 September 2005.
The second request
13. Mr Macdonald’s second request for information was submitted to the Board in a letter dated 28 August 2005. This requested:
a) Copies of original audit forms and corresponding pathology forms for the years 2001, 2002 and 2003.
b) The total number of cases on the database for Ross Hall Hospital for 2001, 2002 and 2003.
c) Letters sent by a named person, and any other member of staff working for the audit department within Glasgow Royal Infirmary, seeking submission of audit forms that were outstanding from 2001, 2002 or 2003. These letters were requested to be provided alongside the corresponding pathology form.
14. By requesting again the original audit and pathology forms, this request overlaps significantly with the first request. However, the two requests differ in respect of the way in which Mr Macdonald suggested that the forms should be modified and presented in an effort to prevent patient identification.
15. Mr Macdonald’s second request again specified the manner in which he wanted the information to be supplied to him. He indicated that patients’ names, addresses and dates of birth should be removed from the items requested in a) and c). He also indicated that the records requested should be modified according to one of two methods. The alternative modifications proposed were:
a) All but the last two digits of the unit number to be removed
b) The entire unit number removed and forms instead numbered according to the year of origin – 2001(1), 2001(2)… 2002(1), 2002(2) etc
16. Although not clearly stated in this request, Mr Macdonald has since confirmed to my Office that the intended scope of this request extended only to audit forms relating to the treatment of colorectal cancer at Ross Hall Hospital. This interpretation was assumed by the Board in responding to the request.
17. The Board responded to this request in a letter dated 29 September 2005, the 19th working day following the receipt (on 2 September) of Mr Macdonald’s request. However, I understand that it was not actually sent until 3 October 2005, the 21st working day after the receipt of the request.
18. The Board’s response explained that information falling under this request was held, but that it was exempt from release under various sections of FOISA. Audit and pathology forms (part (a) of the request) were judged to be exempt under section 30 and section 38(1)(b) of FOISA. The total number of cases for Ross Hall Hospital in 2001, 2002 and 2003, requested in part (b) was stated to be exempt under section 36(2). Finally, the letters requested under part (c) were judged to be exempt under section 38(1)(b).
19. In response to this refusal, Mr Macdonald sought some clarification of what information was held in relation to the request (c) for letters sent by the audit department. Following receipt of clarification, Mr Macdonald then sought a review of the decision on 29 September in a letter dated (and sent by email on) 17 November 2005. Mr Macdonald’s letter expressed dissatisfaction on a number of grounds, including:
a) The Board’s failure to respond within the 20 working day timescale set out in FOISA.
b) His belief that open and free scrutiny of audit results is in the public interest and outweighs any concerns over confidentiality in relation to the audit and pathology forms sought in part (a) of the request.
c) His belief that there was no reason to withhold the total numbers of cases requested in part (b)
d) His belief that the Board had failed to correctly identify all relevant letters under part (c) of the request.
20. The response to this request for a review was provided in a letter dated 19 December 2005. A copy of the report prepared by the reviewer (a non-executive Board member) was supplied along with this letter. The reviewer identified a number of issues with respect to the response initially supplied by the Board. As a result, in the outcome of the review, the Board:
a) Acknowledged and apologised for the failure to respond within the timescale set out in section 10 of FOISA. The Board noted that internal procedures for responding to requests for information were being reviewed to ensure that future requests were dealt with promptly and within the required timescales.
b) The Board’s reliance upon the exemption in section 30 of FOISA in relation to the audit and pathology forms was no longer pursued
c) The total number of audit and pathology forms from Ross Hall Hospital for 2001, 2002 and 2003 was confirmed following consent to this disclosure being granted by the Hospital.
d) Copies of two letters held by the MCN’s office in Glasgow were released in response to part (c) of this request, with the names of individual surgeons and their patients redacted. The Board maintained that release of the surgeon’s names would be an actionable breach of confidence and so this information was exempt under section 36(2) of FOISA. The patient details were judged to be exempt under section 38(1)(b) of FOISA.
21. Mr Macdonald then made an application for a decision by me in relation to this second request (after first seeking and receiving clarification from the Board on some points raised in its letter of 19 December) in a letter dated 4 January 2006, which was received by my office on 11 January 2006.
Investigation
22. Mr Macdonald’s two applications for decision by me were received on 19 September 2005 and 11 January 2006 respectively, and were allocated to an investigating officer. In each case, the application was then validated by establishing that that Mr Macdonald had first made a valid information request to a Scottish public authority (i.e. the Board) under FOISA and had appealed to me only after asking the Board to review its response to the request.
23. Mr Macdonald’s first application explained the wider context of his case, advising me that his request for audit data was prompted by his concerns about the accuracy of certain results reported within the MCN’s annual report for 2003. Copies of various documents illustrating the background to this matter were also supplied.
24. Mr Macdonald indicated that in his view the public interest in clarifying the accuracy of the 2003 report outweighs any issue of confidentiality. He also suggested that his own professional status (as both a surgeon and a member of the MCN) meant that the concerns about wider release need not prevent the information being made available to him.
25. Mr Macdonald also asked me to consider whether the Board’s responses to his requests fulfilled the technical requirements of FOISA.
26. Following the receipt by my Office of Mr Macdonald’s second application for decision, the investigating officer informed both parties that she would investigate this alongside the first application and recommend to me that a single decision be issued in relation to these.
27. The grounds for Mr Macdonald’s dissatisfaction in relation to the second request were:
a) The apparent failure to meet the timescales set out in FOISA when responding to the initial request and request for review.
b) His view that by removing patient identifiers in the ways he suggested, identification of individual patients was not possible from the remaining contents of the information requested;
c) Again, his view that the public interest in confirming the accuracy or otherwise of the annual report outweighed any confidentiality;
d) Dissatisfaction with the Board’s responses to the part of the request that sought letters sent to request audit returns.
Investigation process
28. Following receipt of Mr Macdonald’s first application, the investigating officer wrote to the Board (on 5 October 2005) informing it that an appeal had been received and that an investigation into the matter had begun. The Board was invited to comment on the case in terms of section 49(3)(a) of FOISA, and was also asked to provide a range of information and evidence, including:
a) Samples of each of the types of audit data requested by Mr Macdonald, along with confirmation of the number of audit and pathology forms held relating to Ross Hall Hospital for each of the years covered by his request.
b) Explanation for the Board’s reasoning when applying the exemptions in section 36(2) and 38(1)(b) of FOISA, and confirmation of whether it would be possible to remove the possibility of the identification of patients.
29. The Board’s response to these requests was received on 4 November 2005.
30. When Mr Macdonald’s second application was received, the associated correspondence confirmed that different considerations appeared to have been applied by the Board when refusing access to audit and pathology forms. In this case, the refusal had relied upon, in the first instance, sections 30 and 38(1)(b) of FOISA. At the internal review stage, the reviewer had suggested that reliance on section 30 was inappropriate in the light of my decisions 065/2005 and 066/2006, which required the release of individual surgeons’ mortality rates. At the point where this second case reached me, therefore, the audit and pathology forms appeared, in contrast with the position under consideration in relation to the first request, only to be considered exempt under the terms of section 38(1)(b) of FOISA.
31. The investigating officer wrote to the Board again on 19 January 2006 informing it that a second appeal had been received and that an investigation into the matter had begun. The Board was also invited to comment on this case in terms of section 49(3)(a) of FOISA.
32. This letter also noted that different considerations appeared to have been applied in this case compared with those applied in response to the first request. Clarification was sought as to which exemptions the Board wished to be considered in relation to audit and pathology data (whether in terms of database entries or original forms). The investigating officer also requested further information to support and clarify the scope of both investigations, including:
a) Detailed background information on the MCN and the audit process.
b) Confirmation of whether the Board’s submissions of November 2005 in relation to section 36(2) of FOISA should be assumed to also apply in the new case; or whether the Board no longer wished to rely upon this exemption in relation to individual audit returns.
c) Confirmation of whether the Board would like me to consider the application of section 30 in relation to the audit data.
d) Details of how the Board believed patients might be identified should the data be presented in the manner suggested by Mr Macdonald in his second request.
e) Details of the steps followed in determining whether copies of letters sent to surgeons seeking submission of audit forms were held by the Board.
33. The third request detailed in paragraph 32(c) is unusual, in that my Office will rarely ask a public authority to consider an exemption that it is not already relying on following its own review of the case. However, this approach was prompted by the observation that the reviewer of Mr Macdonald’s second request appeared to have overturned the Board’s initial reliance upon section 30 on an assumption that my findings in relation to surgical mortality data would automatically apply here.
34. There are significant differences between the types of data under consideration in this case and the surgical mortality data I have previously considered. Crucially, the surgical mortality data considered in decisions 065/2005 and 066/2005 were gathered through routine and automatic data collection processes, which did not rely upon the willing participation of surgeons.
35. The audit data under consideration in this case were created and gathered as part of a voluntary audit process that requires willing participation on the part of clinicians if it is to succeed. Having discussed this matter briefly with me, the investigating officer concluded that the Board had (in good faith) wrongly assumed that my decision on mortality rates entailed that the same conclusion would be reached here. Her letter invited the Board to make a submission in relation to any exemption(s) under section 30 of FOISA that it wanted me to consider in the context of the particular circumstances of these cases.
36. The Board’s response to this second request was received on 13 February 2006. Further clarification was sought from and provided by the Board in relation to a number of minor points in June 2006 and July 2006.
37. The Board’s various submissions to my Office confirmed that it considers the audit data (by which I mean the database entries and the audit and pathology forms from which these are derived) to be exempt from release under five exemptions set out in Part 2 of FOISA. These are:
a) Section 30(b)(i) which applies where release would, or would be likely to inhibit substantially the free and frank provision of advice
b) Section 30(b)(ii), which applies where release would, or would be likely to inhibit substantially the free and frank exchange of views for the purposes of deliberation
c) Section 30(c), which applies where release would, otherwise than under sections 30(b)(i) an 30(b)(ii), prejudice substantially, or would be likely to prejudice substantially, the effective conduct of public affairs
d) Section 36(2), which applies where the information has been obtained by a Scottish public authority from another person (including another such authority) and disclosure by the authority so obtaining it to the public (otherwise than under FOISA) would constitute a breach of confidence actionable by that person or any other person.
e) Section 38(1)(b), read in conjunction with section 38(2)(a)(i), which applies to information that is personal data where disclosure of the information to a member of the public otherwise than under FOISA would contravene any of the data protection principles.
38. In the course of the investigation, I also received submissions from the surgeon who is the Lead Clinician for the MCN. Although this surgeon is not an employee of the Board, his role with respect to the MCN meant that his comments provided further background information on the operations of the MCN that form the context for this case.
39. I have taken all of the comments and submissions to me from the Board, Mr Macdonald, and the Lead Clinician for the MCN into consideration in reaching my conclusion below. Key points from this are set out in my findings below.
The Commissioner’s analysis and findings
40. Below, I will address three main questions in turn. These are:
a) Whether the board should supply Mr Macdonald with copies of actual audit and pathology forms and database entries that it holds in relation to Ross Hall Hospital for the years 2001, 2002, 2003. If they should be released, what amendments should be made to unit numbers to minimise the risk of patient identification? (request 1 and request 2)
b) Whether the Board should provide a “summary” of the database content / confirm the total number of database entries (rather than confirm the number of audit and pathology forms) for 2001, 2002 and 2003. (request 1 and request 2)
c) Whether the Board has correctly identified and supplied all letters that it holds that were sent to Ross Hall Hospital seeking the submission of audit or pathology forms for these years. (request 2 only)
d) Whether the Board has breached any of the technical requirements of FOISA in the way it has responded to Mr Macdonald’s requests (request 1 and request 2).
41. I note that, following its review of request 2, the Board confirmed the number of each type of form held for the years 2001, 2002 and 2003 and which relate to Ross Hall Hospital. However, in the course of my investigation, it became clear that, as a result of a routine records management practice of securely destroying the original forms that formed the basis of the database entries, the number of forms held for these years does not match precisely the number of database entries.
42. This means that the provision of the number of forms held did not satisfy either the request for a “summary” of the data that went into the MCN reports for 2001 and 2002 (request 1), or the request for the total number of database entries in request 2. The Board has confirmed that, having sought the views of Ross Hall Hospital, the Hospital has not consented to the disclosure of this information, and so it considers that the exemption in section 36(2) still applies to this information.
43. Before addressing (a) – (d) in detail, I also want to comment briefly upon one further general matter that was raised in the course of this case. Mr Macdonald is a surgeon, and member of the MCN. As a result he is bound, like any other medical professional, to respect and protect patient confidentiality. He has suggested in his correspondence with both the Board and my Office that this means that release of information to him would not entail a breach of patient confidentiality, or wider release of information.
44. While I do not question Mr Macdonald’s professional commitment to the protection of patient confidentiality, FOISA does not distinguish between different types of requestor, or the purposes for which they have made their request. My decisions cannot do so either.
45. If my decision requires release of information to Mr Macdonald, this will imply that the Board should (in the absence of change to the circumstances that have determined my decision) release the same or similar information to any other person who requests it in future. Release under FOISA is effectively release into the public domain. For this reason, the professional status of the applicant in this case can have no bearing on my consideration of whether he should be provided with the information he has requested.
Should the audit data be released?
46. I turn now to the first of my specific questions. A number of exemptions have been invoked by the Board in support of its view that this information should be withheld.
Sections 30(b)(i) and (ii), and section 30(c)
47. I will consider these three exemptions under section 30 of FOISA together because the Board’s arguments for their application to the database entries and the audit and pathology forms on which these are based are closely interrelated. In particular, the Board suggested that release would
a) substantially restrict open discussions among clinicians and management with regard to audit outcomes and procedures;
b) adversely affect the MCN’s risk management where key aims are to encourage the free exchange of information in order to ensure best clinical practice at all levels within the organisation at all stages;
c) substantially prejudice the voluntary participation of clinicians in clinical audit; and
d) substantially prejudice the future participation of Ross Hall Hospital in this and other clinical audits.
48. In order to judge whether these exemptions do apply, it is necessary to understand the nature of the audit data, the context in which they are gathered and the purposes for which they are collected.
49. The broad purpose of the MCN is to support colorectal cancer services in the West of Scotland. Its membership is drawn from all NHS colorectal services in the West of Scotland, and also Ross Hall Hospital, a private healthcare provider in Glasgow.
50. Membership of the MCN is voluntary, and all staff treating colorectal cancer patients are encouraged to be a member. Membership is based on compliance with 3 core principles:
a) To treat all patients according to guidelines (best practice)
b) To submit all cases to a multi disciplinary peer review process
c) To complete a MCN audit form for each patient.
The Board informs me that, to date, it has not been notified by any individual surgeon that they do not wish to be considered a member of the MCN. I understand this to mean that the MCN is currently able to gather and analyse data in relation to the treatment of a high proportion of patients treated in participating hospitals.
51. The MCN’s clinical audit enables comparison of performance across different clinical units and across the region as a whole. Data are gathered spanning a patient’s journey from initial referral, to diagnosis, treatment, discharge, or potentially their death. These record activities of surgeons, radiologists, pathologists, nurses and oncologists.
52. The main purpose for which the audit data are gathered is to assure the quality of care and treatment of patients. Secondary purposes are to inform service improvements, future research in clinical practice and outcome analysis.
53. The Board has emphasised that the audit data are gathered by the MCN from individual surgeons and institutions under an express understanding that the data are confidential. Analysis of the audit data is reported each year in the MCN’s annual report, which presents audit data in an anonymised form. For the 2003 report, for example, data were presented in 7 numbered columns, representing but not identifying the 6 NHS trusts and the one private hospital participating in the audit process.
Conclusions on the application of sections 30(b)(i), 30(b)(ii) and 30(c)
54. The Board’s submissions on the application of section 30 in this case are compelling. It has suggested that should the audit data be released in response to Mr Macdonald’s request under FOISA, individual clinicians would be deterred from participating in this voluntary audit process; and so the MCN’s future ability to collect and share information about the treatment of colorectal cancer in the West of Scotland would be endangered.
55. Public release of the audit data would allow their use for purposes quite different from those for which they are gathered, and would go against the perceived confidentiality of submissions. For example, the audit data include details of the hospital, surgeon and pathologist involved with the treatment of each patient. While this allows each individual hospital to review the performance of its own clinicians; the MCN does not publicly report or analyse its findings on this basis. The presentation of data in its annual reports does not identify individual institutions.
56. By enabling direct comparison of institutional, or of individual clinical performance, release of the audit forms would therefore widen significantly the purposes for which the data might be used. I accept this would also undermine the basis upon which the MCN currently operates.
57. I agree with the Board that the release of the audit data under consideration in this case would be likely to threaten the future successful continuation of the MCN’s audit process, by deterring some or all individual clinicians from recording and sharing information about their activities.
58. Without the willing participation of clinicians, the MCN’s audit process cannot continue to work effectively. Without full and robust audit data, the MCN’s ability to fulfil its core purpose of contributing to the delivery of high quality health care would also be diminished. Were such circumstances to arise, this would clearly be detrimental to the effective conduct of public affairs.
59. The test of substantial prejudice within FOISA is a high one. When making a case for the application of any exemption that includes this test, an authority must be ready to demonstrate that the harm it foresees following from release would be real or very likely, not hypothetical. The harm caused must be significant, not marginal, and it would have to occur in the near future not in some distant time.
60. In this case, I am satisfied that the test of substantial prejudice contained within section 30(c) is met; and therefore I find that this exemption does apply to the audit data.
61. However, I do not accept that either of sections 30(b)(i) or 30(b)(ii) of FOISA apply to the audit data. This is because information recorded within the audit forms and database is of, essentially, a factual nature that I do not consider to be either opinion or views. It seems to me that it is the willingness of clinicians to engage in the sharing of this factual information that is at risk in this case; rather than their willingness to participate in discussion about the data, or wider clinical practice.
62. Therefore, while I accept much of what the Board has said on this matter, I do not find it relevant to the application of sections 30(b)(i) and (ii).
Consideration of the public interest
63. Section 30(c) is a qualified exemption, in that it is subject to the public interest test contained in section 2(1)(b) of FOISA. So, having concluded that section 30(c) applies to the audit data, I must go now consider whether in all the circumstances of the case, the public interest in maintaining this exemption outweighs that in disclosing the information.
64. In favour of maintaining the exemption, the Board has submitted that the overriding importance of clinical audit data is to ensure free and frank discussions with a view to providing an optimum review of performance. The Board states that there is a public interest in there being processes in place to allow review of procedures and outcomes as part of the process of advancing the safety of clinical care and treatment of patients.
65. There is little doubt that it is in the public interest that healthcare providers, through MCNs or similar networks, are able to review and compare performance, and to share knowledge and information to secure improvements in the delivery of healthcare. It is also in the public interest that, where possible, such networks also include private sector providers, to allow the widest possible sharing of best clinical practice and expertise.
66. Having accepted this, I also conclude that it would be contrary to the public interest to require release of information where this would undermine the ability of such networks to carry out their core functions. Therefore, there are strong public interest considerations favouring the maintenance of the exemption in this case.
67. Mr Macdonald has expressed the conflicting view that in this case the public interest still favours release. He has explained that he believes that certain findings reported in the MCN’s 2003 annual report are inaccurate, and that access to the actual audit data held relation to Ross Hall Hospital would confirm the accuracy or otherwise of the reported data.
68. Mr Macdonald’s concerns about the accuracy of the data have prompted him to raise serious allegations in relation to the audit process, and have led to other events that it is not necessary to detail in the context of my decision. Mr Macdonald’s view is that, in this context, the public interest strongly favours the release of the audit data because this would allow confirmation of the accuracy or otherwise of the data; and in turn to confirm whether or not there is any evidence of malpractice in this matter.
69. Mr Macdonald’s submissions have raised serious questions about the audit process, and I agree that release of the data he has requested would allow fuller debate and understanding on this matter. This is a factor weighing in favour of release. However, I do not accept that this is an overriding factor.
70. I am of the view that there is a greater public interest in the continuation of an environment in which rigorous clinical audit contributes to the development and improvement of services, than in demonstrating with absolute certainty whether or not there was any inaccuracy in the reporting of data in the 2003 report. Having considered the competing arguments put to me with regard to the public interest in this case, I have concluded that the public interest in maintaining the exemption in section 30(c) outweighs that in disclosing the information.
71. In reaching this conclusion, I note that the MCN has conducted and reported back to Mr Macdonald on a review of these data in an attempt to allay concerns. In the circumstances, I believe it would be unjustified for me to require it to provide full access to the data requested by Mr Macdonald under FOISA.
Section 36(2) – actionable breach of confidence
72. In order to rely on section 36(2), an authority needs to demonstrate certain elements. Firstly, the information must have been supplied by another person. As the audit data has been supplied by Ross Hall Hospital to the Board (as the MCN’s host organisation), that is the case here.
73. The second test is that the disclosure of the information by the public authority would constitute a breach of confidence actionable either by the person from whom the authority obtained the information or by any other person. I take view that actionable means that the basic requirements for a successful action appear to be fulfilled. There are three main requirements, all of which must be met before a claim for breach of confidentiality can be established. These are:
a) The information must have the necessary quality of confidence about it. It must not be generally accessible to the public already.
b) The information must have been received by the public authority in circumstances from which an obligation on the authority to maintain confidentiality could be inferred. The obligation may be express (for example, in a contract or other agreement), or implied from the circumstances or the nature of the agreement between the parties.
c) There must be a disclosure or use of the information which is not authorised by the person who communicated the information but which would cause detriment to that person.
74. In my published briefing on Section 36 I indicated that the type of information which can be protected by the law of confidence is very wide and can range from highly personal information to information about trade and business and historical information about government. In order for information to have the necessary quality of confidence, it must not, in general, be common knowledge and a member of the public would have to apply skill and labour to produce the information him or herself.
75. In its submissions to my Office, the Board has confirmed that there is no written agreement with Ross Hall Hospital with regard to the confidentiality of data provided to the MCN. However, I am advised that a verbal agreement was made to the effect that no information regarding the audit would be shared outwith the MCN.
76. In April 2005, the Board sought Ross Hall Hospital’s views on this matter. The Hospital’s response made clear that it understood the data to be confidential, and would consider disclosure to be a breach of this confidence. Ross Hall Hospital noted that as a private institution, its business would be put at risk by disclosure of the information. In the course of my investigation, the Board received Ross Hall Hospital’s consent to release to Mr Macdonald details of the total number of audit returns for the years covered by his request. However, it is clear that no consent would be granted for the release of the actual audit and pathology forms or database contents based on these. The Hospital has also refused to consent to the release of the total number of database entries (as opposed to the number of forms held) or a “summary” of the data for the relevant years.
77. In this case I am satisfied that, although not set out in any written agreement, the MCN’s audit process is based on an understanding between the various parties that the audit data should be treated as confidential. Furthermore, I am also satisfied that the information itself has the necessary quality of confidence. The manner in which the audit data is protected and reported by the MCN means that it is not publicly available and supports the conclusion that it is provided to the MCN in a context that creates a duty of confidentiality. I am also satisfied that release of this data would have a detrimental effect on Ross Hall Hospital.
78. The exemption under section 36(2) is an absolute exemption and is not subject to the public interest test under section 2 of FOISA. However, public interest considerations must also be taken into account when applying this exemption. Although the law of confidence recognises that there is a strong public interest in ensuring that people respect confidences, and the burden of showing that a failure to maintain confidentiality would be in the public interest is therefore a heavy one, in certain circumstances, the public interest in maintaining confidences may be outweighed by the public interest in disclosure of information. The courts have considered that there may be a public interest defence to actions of breach of confidentiality where to enforce an obligation of confidence would cover up wrongdoing, allow the public to be misled or unjustifiably inhibit public scrutiny of matters of genuine public concern. However, in the circumstances of this particular case, I cannot see a reasonable basis to conclude that the Board would have a defence to an action of breach of confidence on public interest grounds in the event that it disclosed the information.
79. Therefore, I find that the exemption in section 36(2) of FOISA has been correctly applied to the audit data sought in Mr Macdonald’s two requests.
Section 38(1)(b)
80. Having already concluded that the audit data is exempt from release in its entirety under section 36(2) and 30(c), and that the public interest favours the maintenance of section 30(c), it is not necessary for me to consider further the application of section 38 in this case.
The Board’s response to the request for letters
81. Mr Macdonald has raised a number of concerns about the Board’s handling of the part of his second request that sought copies of any letters sent to surgeons at Ross Hall Hospital seeking submission of audit forms that were outstanding for the years 2001, 2002 and 2003.
82. The Board’s initial response refused to supply these letters because it judged them to be exempt under section 38(1)(b) of FOISA.
83. Mr Macdonald then sought clarification of what information was actually held in relation to this part of his request. A response confirmed that the Board believed that letters were held relating to the years 2001 and 2002.
84. Mr Macdonald subsequently made his formal request for review. This cited evidence that Mr Macdonald believed contradicted the Board’s earlier clarification, and he suggested that this revealed dishonesty on the part of the person who had provided this information. He argued that in the circumstances, the information should be released in the public interest.
85. The reviewer of this case reached the conclusion that the letters held should not have been considered exempt in their entirety under section 38(1)(b) of FOISA. The Board then released copies of two letters that were sent to Ross Hall Hospital, with the names of the surgeons and their patients removed. A further exchange of correspondence between the Board and Mr Macdonald provided further clarification of the extent of information held.
86. In particular, in this exchange the Board reiterated to Mr Macdonald that the letters released to him did not include all those issued. The Board confirmed that copies had not been retained of all letters sent, including the one that he had cited as evidence of dishonesty.
87. Mr Macdonald’s concerns with the handling of this part of his request appear to relate to the Board’s failure to hold records of exactly how many letters were issued to seek audit returns from Ross Hall Hospital, and records of whether responses were received. However, I can only address matters in my decision that relate to the Board’s handling of his specific request under FOISA; that is whether the Board correctly identified any relevant recorded information and supplied a response in line with statutory requirements. It is not within my remit to judge what information should be held by a public authority.
88. I am satisfied that the Board took adequate steps to identify any relevant letters that were held by it when these were requested by Mr Macdonald. I therefore am satisfied that all relevant information has now (following the Board’s internal review of this matter) been supplied to Mr Macdonald. This provision was subject to the removal of content identifying the specific patients and surgeons. However, Mr Macdonald has not expressed dissatisfaction with this removal of personal information and so I have not considered further this aspect of the handling of this request.
Technical aspects of the case
89. My Macdonald has also drawn to my attention to certain technical aspects of the handling of his requests for information by the Board.
90. I have found that the Board failed to comply with the timescale for responding to a request for information set out within section 10(1) of FOSIA in its handling of both requests under consideration here.
91. I have found that the Board failed to comply with the timescales for responding to a request for review set out in section 21(1) of FOISA in responding to Mr Macdonald’s request for a review, dated 17 November 2005, in relation to his second request for information.
92. I do not find that there has been any breach of the timescales set out in section 21(1) of FOSIA in relation to Mr Macdonald’s request for review of the handling of his first request, which was dated 1 June 2005.
93. I note that the Board has acknowledged and apologised to Mr Macdonald for its failure to comply with timescales on each of these occasions, and that steps have been taken internally to prevent further breaches of this kind in future. I therefore do not require any further steps to be taken in response to these breaches.
94. Mr Macdonald has also raised concerns about the Board’s handling of the review into his second request for information, observing in particular that a certain individual appeared to have been involved at both stages of considering his request. The Scottish Ministers’ Code of Practice on the Discharge of Functions by Public Authorities under the Freedom of Information (Scotland) Act 2002 (commonly known as the Section 60 Code) provides guidance on what is expected of public authorities when carrying out reviews under the terms of section 21 of FOISA. Paragraphs 65 and 66 state the following:
65. It is important that authorities put in place appropriate and accessible procedures for handling reviews. The review procedure should be fair and impartial and it should enable different decisions to be taken if appropriate. […] The procedure should be straightforward and capable of producing a determination of the review promptly and in any event, within 20 working days of receipt of the request for the review.
66. Where the requirement for review concerns a request for information under the general right of access, the review should generally be handled by staff who were not involved in the original decision. While this may not always be possible, it is important that the review procedure enables the matter to be considered afresh.
95. The key feature of a review process that complies with FOISA and these guidelines is that it will generally be conducted by a person who was not involved with the initial handling of a request, and this person is empowered to reach a different decision on the matter from that previously reached. However, this does not mean that people involved in handling the request in the first instance should not be consulted in the course of the review as part of the process of establishing whether the initial response was correct.
96. Having viewed evidence in relation to the reviews conducted concerning each of these cases, I have found no evidence to suggest that an appropriate review was not conducted in response to Mr Macdonald’s requests. Indeed, I commend the Board on the thoroughness and fairness with which the reviews were undertaken in each case, and on its willingness to engage in further correspondence with Mr Macdonald in an attempt to clarify the position on the matters he raised following these reviews.
Decision
I find that Greater Glasgow NHS Board (the Board) acted in accordance with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in withholding the MCN’s database entries and audit and pathology forms held in relation to Ross Hall Hospital for the years 2001, 2002 and 2003. I have concluded that this information is exempt from release under section 36(2) and 30(c) of FOSIA, and that the public interest in maintaining the latter exemption outweighs that in disclosure of the information. I do not find this information to be exempt from release under section 30(b)(i) or 30(b)(ii) of FOISA.
I also find that the Board has acted in accordance with Part 1 of FOISA in withholding the “summary” of the data held in the database and the total number of entries for Ross Hall Hospital as requested by Mr Macdonald under the terms of section 36(2) of FOISA.
I find that the Board acted in accordance with Part 1 of FOISA in its response to the part of Mr Macdonald’s second request seeking access to letters issued by the audit department at Glasgow Royal Infirmary.
I find that the Board failed to comply with Part 1 of FOISA in that it breached the requirements set out in section 10(1) in its responses to Mr Macdonald’s two requests for information, dated 15 March 2005 and 28 August 2005.
I also find that the Board failed to comply with Part 1 of FOISA in that it failed to comply with the requirements of section 21(1) of FOSIA in its response to Mr Macdonald’s request for review of the request of 28 August 2005.
I do not find any further breaches of the requirements of FOISA in the Board’s responses to Mr Macdonald’s two requests.
I do not require any steps to be taken by the Board in response to these technical breaches.
Kevin Dunion
Scottish Information Commissioner
13 November 2006
Link to PDF file of decision 202/2006 (101.8 kb)